ClawHub

1password 1.0.1

Security checks across malware telemetry and agentic risk

Overview

This appears to be a coherent 1Password CLI helper, but its examples normalize exposing secrets in files and terminal output without enough safeguards.

Install only if you are comfortable with the agent using your 1Password CLI context. Avoid examples that print secrets or use --no-masking, write secret output only to protected paths with restrictive permissions, exclude generated files from version control, and delete plaintext secret files after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The example writes secret material directly to a local file (`./key.pem`) without any warning about filesystem exposure, permissions, cleanup, or accidental inclusion in backups and source control. In a secrets-management skill, normalizing unsafe secret-file handling can lead users to persist sensitive credentials in places that are easier to steal or mishandle.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
These examples print a secret-derived environment variable to stdout, and one disables masking with `--no-masking`, which directly encourages disclosure in terminals, shell history, logs, CI output, and screen recordings. In the context of a 1Password CLI skill, demonstrating secret exposure as a normal usage pattern materially increases the chance of credential leakage.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The example injects secrets into an output file (`config.yml`) without warning that the generated file now contains plaintext secrets. That can cause sensitive data to be left on disk, copied into artifacts, or committed to repositories, which is especially risky in documentation for a secrets tool.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal